By Roy Urrico
There were 841 publicly reported data compromises in the first quarter of 2024. That is a 90% increase compared to the first quarter of 2023 (442 compromises). This is among the findings in the first quarter 2024 Data Breach Analysis, from Identity Theft Resource Center (ITRC), the El Cajon, Calif.-based national nonprofit organization supports victims of identity crime.
This first quarter of 2024 comes after the ITRC reported a record for the total number of reported data breaches, exposures, leaks and unspecified events reached at 3,205 for the entirety of 2023.
The first quarter analysis also reports attacks increased across 15 of 17 industries tracked by the ITRC. Financial Services was the most attacked industry in this first quarter of 2024 with 224 compromises reported. Nineteen of those reported incidents impacted credit unions.
The number of reported victims in first quarter of 2024 (28,596,892) decreased 72%, compared to the same quarter last year (100,686,535), and 81% from the previous quarter (152,679,771). Cyberattacks remained the primary cause of data breaches involving stolen personal information, the report noted. Additionally, there were an estimated 353,027,892 total victims in 2023.
“The dramatic increase in data compromises continues to concern us,” said Eva Velasquez, president and CEO of the ITRC. “However, the decrease in victims impacted is a bit of good news, though still too high. We believe it is due to identity criminals launching more targeted attacks, which differ from tactics used five to ten years ago. With that said, it is critical that businesses and consumers continue to practice good password hygiene and transition to passkeys when possible.”
Not Always Giving Notice
The ITRC revealed the number of cyberattack-related data breach notices without information about the root cause of the attack jumped from 166 in first quarter of 2023 to 439 in 2024’s first quarter. These findings, according to the report, translates to more than two-thirds of breach notices based on cyberattacks that contain no information about the cause. Fewer than 50% of cyberattack notices in quarter one 2023, the report found, lacked root cause information.
The ITRC noted that publicly traded companies regulated by the U.S. Securities and Exchange Commission (SEC) or the Federal Communications Commission (FCC) are under new reporting mandates that require more information sharing on a timelier basis. According to the ITRC, these new regulations appear to be prompting more information sharing. “However, only 75 of the 841 entities reporting a compromise in quarter one were subject to the new regulations, a 9% rate that is consistent with the overall number of publicly traded companies versus non-public and non-profit entities.”
The ITRC reported data breach notices from financial services tripled year-over-year (70 notices in the first quarter 2023, compared to 224 in the first quarter 2024). Financial Services (224 notices) displaced healthcare (124 notices) as the most attacked industry in 2024’s first quarter. Attacks against professional services (100 notices) more than doubled, becoming the third industry to publish more triple-digit notices in the quarter.
Attacks More Targeted
“The consensus among cybersecurity experts and the ITRC is that the number of victims per compromise is drifting lower as identity criminals launch more targeted assaults that are vastly different from the ‘pray & spray’ attacks of the late 20-teens,” stated the report.
However, the report noted, more breaches with fewer people impacted does not mean individuals or businesses can reduce their level of diligence. For example, legitimate login credentials remain a common attack vector obtained in focused attacks and used to launch various subsequent attacks and identity scams. This includes supply chain attacks that compromise multiple organizations in a single exploit.
Other ITRC Data Breach Analysis report findings include:
Data compromises reported in the first quarter of 2024 included 642 cyberattacks, 85 compromises caused by system or human errors, and 11 physical attacks, impacting an estimated 28,596,892 victims. Cyberattacks remained, by a wide margin, the primary cause of data breaches involving stolen personal information.
The number of organizations impacted by supply chain attacks more than tripled in quarter one 2024 compared to the same period in 2023. (The ITRC reports third-party/supply chain attacks as a single attack against the company that lost control of the information.) The total number of individuals impacted by third-party incidents is based on notices sent by the multiple organizations impacted by the single data compromise.
Fifty new attacks impacted 243 organizations and approximately 7.5 million victims compared to 73 entities and an estimated 11.4 million victims in quarter one 2023.